ICS-CERT Monthly Monitor Report for February 2012

Monday, March 12, 2012

In January, ICS-CERT identified and responded to a cyber intrusion into a building Energy Management System (EMS) used to control heating and cooling for a state government facility. The incident and facility were identified by ICS-CERT after correlating a variety of information posted in open sources.

ICS-CERT established contact with the facility and informed them of open source posting of their information. Facility personnel reported to ICS-CERT that they had discovered unauthorized adjustments to the EMS control settings that had resulted in unusually warm temperatures in the facility.

Concerned about this anomalous activity, quick thinking personnel had reset the system settings to normal values and had adjusted the configuration to remove the Internet accessibility. They also preserved all available logs from the time of the incident and provided them to ICS-CERT for further analysis.

ICS-CERT analyzed the provided telemetry data and access logs and determined that temperature set points had been changed by an unauthorized user via the Internet accessible interface. Someone had gained access to this system despite the remote logon configuration requiring a password.

ICS-CERT strongly recommends that asset owners and operators audit their configurations for Internet accessibility, regardless of whether they believe they have Internet accessible devices. Often, control systems are found to have Internet accessible devices installed, of which the asset owners and operators are unaware. These situations pose an increased risk of attack to those systems.